Secure your email not just your email account

The risks of having your email hacked are high, but the reaction of most has been muted. Email security is a problem that continues to pop up in the news every two weeks and something needs to change.

Email is a perfect target for hackers. If you want to find out everything about someone all you need is their email account. Once you're in, search for terms like password and hope that they've either sent or received an email with a plain text password. Email is a great place to get more passwords and private data.

After all of these scandals and hacks the common wisdom is to write news stories and blog posts encouraging everyone to turn on two-factor authentication (2FA). Everyone should turn on 2FA for everything immediately, this is true. Our systems leverage the identity services of webmail providers such as Yahoo!, Outlook.com, and GMail so turning on 2FA will provide more security and make it nearly impossible for someone to hack your email account by guessing a password.

Turning on 2FA will secure your account from hackers, but it really doesn't make your email any more protected than it is now. Yes, it will be difficult for a hacker to break into your account: they would have to steal your password and steal your smartphone. Your account may not be compromised, but the emails you send to others are still very much at risk.

Email security: Lowest common denominator

When you send an email with sensitive information that email is only as safe as your recipient's inbox. You can secure your account as much as you want to, but if you send that sensitive, secret business plan to a friend, you are trusting that they also run 2FA. The network effect of email, the fact that your recipient can forward that attachment to others just increases the risk.

2FA isn't for everyone

Given that email security is related not just to your own email account's security but your recipient's you should be encouraging the people to whom you send email to turn on 2FA.

After you turn on 2FA for yourself you should set aside the entire day to call up everyone in your address book and ask them to also turn on 2FA. Then ask all of these same people to call up the people they might forward your emails to to turn on 2FA. If you really want your information to be secure you're going to have to make sure that everyone between you and Kevin Bacon has 2FA turned on.

Are you going to do this? Probably not. If you did this, maybe 10 percent of the people you communicate with would think of turning on 2FA. The reality of 2FA is that normal people don't turn it on. They should, but even though companies like Facebook and Google have made it very easy it is still a hassle and many people still believe that “they have nothing to hide.” It isn't until people get hacked that they realize how important it is.

Assume that no one turns on two-factor even after reading all these blog posts about email hacks. What do you do?

Secure your email not just your email account

Email is plaintext. It can be encrypted when it is sent over a network and it can be encrypted on a server, but the way email was designed relies on the fact that a server is reading plain text headers to read a list of email address, a subject, and a body. Attachments are encoded but not encrypted and when a recipient gets an email nothing checks to see whether someone has permission to read an email.

This is the real insecurity of email not the fact that email accounts might have weak authentication. Don't get me wrong, that's a bad thing, but it isn't the fundamental problem that needs to be solved in email. What needs securing isn't your account it is the data in your account.

This is the real solution to securing email: an envelope that gives email senders control over the messages they send. It means that you no longer have to fall prey to the network effect of insecure email accounts. You can limit your audience and exert some control over the data you share with others.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.